cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

DCRUM 2017 CAS SSL Configuration issue

hmor3
Inactive

Hi Guys,

We have tried to configure SSL for CAS using steps as per below link

https://community.dynatrace.com/community/pages/vi...

title=Configuring+SSL+for+CAS+or+ADS&spaceKey=DCRUM124

1) Used below command to generate a Key & CSR from openssl

sudo openssl req -new -newkey rsa:2048 -nodes -out dynatrace_XXXXXX.csr -keyout dynatraceXXXXX.key -config req.conf

2) Received .cer file from CA

Question 1 :Now how do i get this chain.txt as described in the Documentation link ?

Questinon 2 : What is the role of keystore if i have used openssl?

Question 3 : after my step 2 , what all is needed to complete SSL configuration?

Thanks

Himanshu Mor

5 REPLIES 5

jaroslaw_orlows
Dynatrace Pro
Dynatrace Pro

Hi, have a look at the 2017 doc. It should be improved in comparison to the 12.4 one.

https://www.dynatrace.com/support/doc/dcrum/data-privacy-and-security/configuration/configuring-ssl-for-cas-or-ads/

Hello @Jaroslaw O. , thanks for the update!

But i cannot see any details about how to generate the chainfile even in the new version documentation.

Thanks

Himanshu Mor

Hello! What about steps 7 and 8?

7. Open root.cer and webserver.cer in Notepad. Append all contents from each file (Control-A) and merge both into a new text file. Make sure to merge them in the same order they were opened: root followed by webserver.

8. Save the merged file as chain.txt .

Hello @Jaroslaw O. , we have only received one .cer file.

adam_piotrowicz
Dynatrace Pro
Dynatrace Pro

Himanshu,

Try the following procedure:


1. Create key:

keytool -genkeypair -keyalg rsa -keystore [keystorename].jks -storepass [keystorepassword] -alias [alias]

2. Create cert request using names defined in previous step:

keytool -certreq -alias [alias] -keystore [keystorename].jks -storepass [keystorepassword] -file my_new_cert.csr -validity[number of days]

3. Send certificate request file (my_new_cert.csr in this example) out to sign

4. Make sure your certificate is in Base64 X509 format, if not - make proper conversion:

(a) In case you received your signed cert from root CA:

  • Right-click on the certificate chain file (for example, signed_cert.p7b) and select Open.
  • The certificate should open in Window's Certificates tool. If not - open certmgr.msc and use import tool.
  • In the left pane, expand Certificates - Current User > Certificates. You will see imported certificate.
  • Export certificate into Base64 X509 by right-clicking on each certificate and selecting All Tasks > Export .
  • Click Next.
  • Enter the name of the exported file, for example, signed_cert.cer for the root certificate.
  • Click Finish.


(b) In case you received your signed cert from non-root CA:

  • Right-click on the certificate chain file (for example, signed_cert.p7b) and select Open.
  • The certificate should open in Window's Certificates tool. If not - open certmgr.msc and use import tool.
  • In the left pane, expand Certificates - Current User > Certificates. You will see imported certificate.
  • Export certificate into Base64 X509 by right-clicking on each certificate and selecting All Tasks > Export .
  • Click Next.
  • Enter the name of the exported file, for example, signed_cert.cer for the root certificate.
  • Click Finish.
  • Repeat procedure for all Intermediate (there can be more than one) and Root certificates (e.g. root.cer & intermediate.cer).


5. Import signed user certificate.

keytool -import -alias tomcat –keystore [keystorename].jks –storepass [keystorepassword] -trustcacerts -file signed_cert.cer

6. Export key created at the begining to PKCS12 format.

keytool -importkeystore -srckeystore [keystorename].jks -srcstoretype JKS -deststoretype PKCS12 -destkeystore pkey.p12

7. Convert exported PKCS12 binary file to PEM format

openssl.exe pkcs12 -in [path.to]pkey.p12 -nodes -nocerts -out [path.to]pkey.pem

8. Configure the following settings in the /config/common.properties file:

  • Point connector.ssl.SSLCertificateFile to the signed certificate file converted to X509 (signed_cert.cer)
  • Point connector.ssl.SSLCertificateKeyFile to the key you generated using the keytool, for example pkey.pem.
  • Point connector.ssl.SSLCertificateChainFile to the chain of certificates, that is chain.txt you created by joining the contents of cer files.

9. Set the key password.

  • In Windows, go to Program and Features > Uninstall a program, select Dynatrace Central Analysis Server and click Uninstall/Change.
  • In CAS installation dialog, select Change HTTP and SSL Server settings and click Next.
  • Select Use HTTPS (HTTP over SSL) and Use custom key and certificate, and click Next.
  • Read the on-screen information, type and confirm the password and click Next. The key password is updated.
  • Restart the CAS service.